From 603f2903f302262ffcc1fa060571c9f8733334fa Mon Sep 17 00:00:00 2001
From: Martin Pinter <martin.pinter@bratislava.sk>
Date: Thu, 2 Oct 2025 09:46:09 +0200
Subject: [PATCH 1/3] New image base for custom runner

---
 .github/workflows/build.yml |  9 ++++-----
 Dockerfile                  | 38 ++++++++++++++++++-------------------
 2 files changed, 23 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 47d249c..c48610e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,7 +2,7 @@ name: Build & Push Image
 
 on:
   schedule:
-    - cron:  '0 0 * * 0'
+    - cron: "0 0 * * 0"
   pull_request:
     branches:
       - master
@@ -10,7 +10,7 @@ on:
 
 env:
   IMAGE_NAME: ${{ vars.HARBOR_REGISTRY }}/${{ vars.HARBOR_NAMESPACE }}/actions-runner-dind
-  IMAGE_BASE: 'ubuntu-20.04'
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -22,9 +22,8 @@ jobs:
         uses: actions/checkout@v3
       - name: Docker Image Tag
         run: |
-          IMAGE_TAG=$(curl -s https://hub.docker.com/v2/repositories/summerwind/actions-runner-dind/tags \
-                      | grep -o '"name": *"[^"]*' | grep -o '[^"]*ubuntu-20.04$' | grep -v "^${IMAGE_BASE}$" \
-                      | sort -r | head -n 1)
+          IMAGE_TAG=$(curl -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/orgs/actions/packages/container/actions-runner/versions" \
+                      | grep -o '"[0-9]\+\.[0-9]\+\.[0-9]\+"' | tr -d '"' | sort -r | head -n 1)
           echo "IMAGE_TAG=$(echo $IMAGE_TAG)" >> $GITHUB_ENV
       - name: Docker Metadata
         id: meta
diff --git a/Dockerfile b/Dockerfile
index 79210e9..0567a2c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,26 +1,26 @@
-FROM summerwind/actions-runner-dind:ubuntu-20.04 as prod
+FROM ghcr.io/actions/actions-runner:latest AS prod
 
 USER root
 
-# installing prerequisities needed for bratiska-cli - yarn, kustomize, envsubst
-RUN mkdir -p ~/.local/bin/ \
- # install envsubst
- && apt-get update && apt-get install gettext-base \
- # install yarn and make it executable command
- && curl -fsSL -o ~/.local/bin/yarn https://github.com/yarnpkg/yarn/releases/download/v1.22.19/yarn-1.22.19.js \
- && chmod +x ~/.local/bin/yarn \
- # install kustomize and make it executable command
- && curl -fsSL -o ~/install_kustomize.sh "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" \
- && bash ~/install_kustomize.sh ~/.local/bin \
- # clean up apt cache and installation scripts
- && rm ~/install_kustomize.sh \
- && rm -rf /var/cache/apt/archives /var/lib/apt/lists/*
+# installing prerequisities needed for bratiska-cli (and sometimes npm build) - yarn, kustomize, envsubst and make
+RUN mkdir -p /home/runner/.local/bin/ \
+  # install envsubst
+  && apt-get update && apt-get install gettext-base \
+  && apt-get install make \
+  # install yarn and make it executable command
+  && curl -fsSL -o /home/runner/.local/bin/yarn https://github.com/yarnpkg/yarn/releases/download/v1.22.19/yarn-1.22.19.js \
+  && chmod +x /home/runner/.local/bin/yarn \
+  # install kustomize and make it executable command
+  && curl -fsSL -o /home/runner/install_kustomize.sh "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" \
+  && bash /home/runner/install_kustomize.sh /home/runner/.local/bin \
+  # clean up apt cache and installation scripts
+  && rm /home/runner/install_kustomize.sh \
+  && rm -rf /var/cache/apt/archives /var/lib/apt/lists/* \
+  # fix ownership of local bin directory to runner user
+  && chown -R runner:runner /home/runner/.local
 
-# update path with yarn package installation directory
-ENV PATH="${PATH}:/home/runner/.yarn/bin"
-
-# add docker buildx BuildKit plugin
-COPY --from=docker/buildx-bin:latest /buildx /usr/libexec/docker/cli-plugins/docker-buildx
+# update path with local bin directory
+ENV PATH="${PATH}:/home/runner/.local/bin"
 
 USER runner
 

From 6d15f3172fb2d3c037396bd592dcfb948bdf52f4 Mon Sep 17 00:00:00 2001
From: Martin Pinter <martin.pinter@bratislava.sk>
Date: Tue, 7 Oct 2025 06:37:29 +0200
Subject: [PATCH 2/3] Install build-essential

---
 Dockerfile | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 0567a2c..95783d2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,11 +2,13 @@ FROM ghcr.io/actions/actions-runner:latest AS prod
 
 USER root
 
-# installing prerequisities needed for bratiska-cli (and sometimes npm build) - yarn, kustomize, envsubst and make
+# installing prerequisities needed for bratiska-cli (and sometimes npm build) - yarn, kustomize, envsubst and build-essential
 RUN mkdir -p /home/runner/.local/bin/ \
+  && apt-get update \
+  # needed for make / g++, which is sometimes needed in npm build
+  && apt-get install -y --no-install-recommends --fix-missing build-essential \
   # install envsubst
-  && apt-get update && apt-get install gettext-base \
-  && apt-get install make \
+  && apt-get install gettext-base \
   # install yarn and make it executable command
   && curl -fsSL -o /home/runner/.local/bin/yarn https://github.com/yarnpkg/yarn/releases/download/v1.22.19/yarn-1.22.19.js \
   && chmod +x /home/runner/.local/bin/yarn \

From 02e868c8f7d0ededa7d57873265f854fb8072ffe Mon Sep 17 00:00:00 2001
From: Martin Pinter <martin.pinter@bratislava.sk>
Date: Mon, 13 Oct 2025 12:59:11 +0200
Subject: [PATCH 3/3] Fix runner version and add github workflow.

- fixed version in dockerfile
- build no longer runs on cronjob
- added check-runner-updates job that checks for updates and notifies
---
 .github/workflows/build.yml                |   4 +-
 .github/workflows/check-runner-updates.yml | 116 +++++++++++++++++++++
 Dockerfile                                 |   2 +-
 README.md                                  |   8 +-
 4 files changed, 124 insertions(+), 6 deletions(-)
 create mode 100644 .github/workflows/check-runner-updates.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c48610e..32a56bb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,9 +1,7 @@
 name: Build & Push Image
 
 on:
-  schedule:
-    - cron: "0 0 * * 0"
-  pull_request:
+  push:
     branches:
       - master
   workflow_dispatch:
diff --git a/.github/workflows/check-runner-updates.yml b/.github/workflows/check-runner-updates.yml
new file mode 100644
index 0000000..817ab81
--- /dev/null
+++ b/.github/workflows/check-runner-updates.yml
@@ -0,0 +1,116 @@
+name: Check Actions Runner Updates
+
+on:
+  schedule:
+    # Run every Monday at 9 AM UTC
+    - cron: "0 9 * * 1"
+  workflow_dispatch:
+
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  check-updates:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+    env:
+      SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          ref: ${{ github.ref }}
+
+      - name: Get current runner version from Dockerfile
+        id: current-version
+        run: |
+          CURRENT_VERSION=$(grep -o 'ghcr.io/actions/actions-runner:[0-9]\+\.[0-9]\+\.[0-9]\+' Dockerfile | sed 's/ghcr.io\/actions\/actions-runner://')
+          echo "current=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          echo "Current version: $CURRENT_VERSION"
+
+      - name: Get latest runner version from GitHub API
+        id: latest-version
+        run: |
+          # Get the latest version from GitHub Container Registry API
+          LATEST_VERSION=$(curl -H "Authorization: token $GITHUB_TOKEN" "https://api.github.com/orgs/actions/packages/container/actions-runner/versions" \
+                      | grep -o '"[0-9]\+\.[0-9]\+\.[0-9]\+"' | tr -d '"' | sort -r | head -n 1)
+
+          echo "latest=$LATEST_VERSION" >> $GITHUB_OUTPUT
+          echo "Latest version: $LATEST_VERSION"
+
+      - name: Compare versions
+        id: compare-versions
+        run: |
+          CURRENT="${{ steps.current-version.outputs.current }}"
+          LATEST="${{ steps.latest-version.outputs.latest }}"
+
+          echo "Comparing: $CURRENT vs $LATEST"
+
+          # Use sort -V for version comparison
+          if [ "$(printf '%s\n' "$CURRENT" "$LATEST" | sort -V | head -1)" != "$LATEST" ]; then
+            echo "update_needed=true" >> $GITHUB_OUTPUT
+            echo "Update needed: $CURRENT -> $LATEST"
+          else
+            echo "update_needed=false" >> $GITHUB_OUTPUT
+            echo "No update needed. Current version is up to date."
+          fi
+
+      - name: Update Dockerfile
+        if: steps.compare-versions.outputs.update_needed == 'true'
+        run: |
+          # Update the Dockerfile with the new version
+          sed -i "s/ghcr.io\/actions\/actions-runner:[0-9]\+\.[0-9]\+\.[0-9]\+/ghcr.io\/actions\/actions-runner:${{ steps.latest-version.outputs.latest }}/" Dockerfile
+          echo "Updated Dockerfile with new version: ${{ steps.latest-version.outputs.latest }}"
+
+      - name: Create Pull Request
+        if: steps.compare-versions.outputs.update_needed == 'true'
+        id: create-pr
+        uses: peter-evans/create-pull-request@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "chore: update actions-runner to ${{ steps.latest-version.outputs.latest }}"
+          title: "Update Actions Runner to ${{ steps.latest-version.outputs.latest }}"
+          base: "master"
+          body: |
+            ## 🚀 Actions Runner Update
+
+            This PR updates the GitHub Actions runner from `${{ steps.current-version.outputs.current }}` to `${{ steps.latest-version.outputs.latest }}`.
+
+            ### Changes
+            - Updated Dockerfile base image from `ghcr.io/actions/actions-runner:${{ steps.current-version.outputs.current }}` to `ghcr.io/actions/actions-runner:${{ steps.latest-version.outputs.latest }}`
+
+            ---
+            *This PR was automatically created by the [Check Actions Runner Updates](.github/workflows/check-runner-updates.yml) workflow.*
+          branch: update-actions-runner-${{ steps.latest-version.outputs.latest }}
+          delete-branch: true
+
+      - name: Send Slack Notification
+        if: steps.compare-versions.outputs.update_needed == 'true' && env.SLACK_BOT_TOKEN != ''
+        uses: slackapi/slack-github-action@v2.1.1
+        with:
+          errors: true
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload: |
+            {
+              "channel": "C036AH93SPL",
+              "text": "🚀 *Actions Runner Update Available*\n\nA new GitHub Actions runner version has been detected and a PR has been created:\n\n• *Current Version:* `${{ steps.current-version.outputs.current }}`\n• *Latest Version:* `${{ steps.latest-version.outputs.latest }}`\n• *Pull Request:* <https://github.com/${{ github.repository }}/pull/${{ steps.create-pr.outputs.pull-request-number }}|View PR>\n\nPlease review and merge the PR when ready."
+            }
+
+      - name: Send Slack Notification (No Updates)
+        if: steps.compare-versions.outputs.update_needed == 'false' && env.SLACK_BOT_TOKEN != ''
+        uses: slackapi/slack-github-action@v2.1.1
+        with:
+          errors: true
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload: |
+            {
+              "channel": "C036AH93SPL",
+              "text": "✅ *Actions Runner Check Complete*\n\nNo updates needed. Current version `${{ steps.current-version.outputs.current }}` is up to date."
+            }
diff --git a/Dockerfile b/Dockerfile
index 95783d2..f5fbed2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/actions/actions-runner:latest AS prod
+FROM ghcr.io/actions/actions-runner:2.328.0 AS prod
 
 USER root
 
diff --git a/README.md b/README.md
index 5e8fcf0..925b7f4 100644
--- a/README.md
+++ b/README.md
@@ -11,20 +11,24 @@ docker buildx build -t gh-runner:latest .
 ```
 
 The image will install following packages/tools
+
 - [envsubst](https://linux.die.net/man/1/envsubst)
 - [kustomize](https://kustomize.io/)
 - [yarn](https://yarnpkg.com/)
+- [build-essential](https://packages.ubuntu.com/focal/build-essential)
 
 There is also a [GitHub workflow](./.github/workflows/build.yml), that will build the image, tag it with appropriate ARC runner version and push it to Harbor.
 
+Every monday at 9 AM UTC, the workflow will check for updates and if there are any, it will create a pull request with the updated version adn send update to #alerts-github channel.
+
 > [!NOTE]
 > Please note, that `yarn` will need **some** valid [NodeJS](https://nodejs.org/en) runtime to work. You can install such runtime, for example, by [setup-node](https://github.com/actions/setup-node) action.
 
-
 ## Deploy
 
 To deploy/redeploy new version of this runner, you have to:
-1. Execute the [GitHub workflow](./.github/workflows/build.yml). It also runs on regular basis (but sometimes GitHub disables it). If you see that it already run this week, just take the latest image from our [Harbor repository](https://harbor.bratislava.sk/harbor/projects/3/repositories/actions-runner-dind/artifacts-tab).
+
+1. Execute the [GitHub workflow](./.github/workflows/build.yml). If you see that it already run this week, just take the latest image from our [Harbor repository](https://harbor.bratislava.sk/harbor/projects/3/repositories/actions-runner-dind/artifacts-tab).
 2. Once you have the correct image tag, you need to change [this line](https://dev.azure.com/bratislava-innovation/_git/Infrastructure?path=/clusters/master/kubectl/pipeline-runner.yml&version=GBmaster&line=39&lineEnd=40&lineStartColumn=1&lineEndColumn=1&lineStyle=plain&_a=contents) in our [Azure Infrastructure](https://dev.azure.com/bratislava-innovation/_git/Infrastructure) repository, through Pull Request.
 3. Merge it, automatic pipeline will run and deploy the change.